A “targeted attack”, called Advanced Persistent Threat (APT), has become noticeable recently as a new security threat that targets and makes persistent attacks on a specific organization. APT infects a terminal of a targeted organization with malware through email, and the infecting malware communicates with the server of the attacker outside and download new attack programs or transmit confidential information in the system of the organization. To detect such a security incident at an early stage, and prevent damage from spreading, a “Security Operation Center” (SOC) service is needed to monitor various logs in network devices and detect suspicious signs. If an incident is detected, the organization has to carry out an incident response including investigation into the cause of the incident and damage, studies on countermeasures, restoration of the service, implementation of preventive measures of recurrence, and the like. Furthermore, depending on the client or business partner of the organization, the organization also needs to clarify what has been leaked out and what has not been leaked out of the confidential information.
Network forensics play an important role for the organization to investigate the cause of the incident and the damage. Network forensics analyze a log generated by a personal computer, a server, a network device or the like, or a packet recorded on a network, and investigate the intrusion route of malware, an infected terminal, accessed information, attacker's commands, information transmitted outside, and the like. Malware, however, uses cryptographic technologies to keep communications secret, these days. Therefore, to identify, by tracing, commands transmitted from an attacker and information transmitted outside has become difficult if the organization implements network forensics.
To address this issue, the encryption logic and key that have been used by the malware for keeping the communication secret need to be identified to decrypt the encrypted communication. Usually, in this process, the binary of malware programs need to be analyzed. Existing encryption logic extraction methods mostly specify the encryption logic and key by searching the execution trace obtained when malware is executed, for a typical characteristic of encryption logic, like the malware analysis system disclosed in Patent Document 1, for example. Among binary analysis technologies of malware programs, the technologies disclosed in Non-Patent Documents 1 through 9 are known.